Analysis: SolarWinds Zero-Day Attack
Mid-July 2021 was a dark time for Texas-based software provider SolarWinds, as the company faced an attack by a single threat actor that exploited security flaws in both its Serv-U Managed File Transfer and Serv-U Secure FTP products. This zero-day attack caused significant damage to a limited number of SolarWinds customers, highlighting the need for robust cyber-defence systems and measures to help prevent similar attacks.
The SolarWinds zero-day attack began on July 15th, when a single threat actor exploited security vulnerabilities in both Serv-U Managed File Transfer (MFT) and Serv-U Secure FTP, which are widely used by businesses and individuals to transfer files securely between systems. The threat actor attacked customers in an unnamed country, though it is believed that the attacks originated from China.
Microsoft Alerted SolarWinds to Zero-Day Attack
SolarWinds became aware of the attack that same day after being alerted by Microsoft, stating that it had already been used by cyber attackers to target its customers commenting “Microsoft has provided evidence” though the impact was “limited and targeted”.
According to Microsoft, these types of attacks are becoming more and more common as threat actors take advantage of various vulnerabilities in a wide range of software products.
While SolarWinds has since patched the security issues and improved its security measures to prevent similar attacks in the future, the threat highlights the need for businesses and individuals to remain vigilant about cyber security. With cyber criminals becoming increasingly skilled at exploiting software flaws, having strong defences in place is more important now than ever before.
SolarWinds security patch for Zero-Day
In the wake of this devastating attack, SolarWinds worked quickly to patch the security vulnerabilities with a hotfix. In a statement released shortly after the attacks were discovered, SolarWinds acknowledged the zero-day attack and vowed to put measures in place to prevent future attacks.
The company urged its customers to update their systems immediately.
With an ever-growing number of cyber threats emerging every day, it is crucial that companies and individuals alike take steps to protect themselves against attacks like these.
Who was behind the SolarWinds Zero-Day attack?
As this incident shows, it can be difficult to determine the true source of cyber attacks and security vulnerabilities.
The SolarWinds zero-day attack was carried out by a new threat actor known as DEV-0322, which is believed to be based in China. The attackers are thought to have used sophisticated techniques and tactics, including exploits of previously unknown vulnerabilities in order to carry out their attack. This suggests that the attackers may have had significant resources at their disposal.
While it is not yet known who was behind the attack, it appears to have been carefully planned and executed by a sophisticated group with extensive resources.
Further Reading on the SolarWinds Zero-Day
Microsoft created a dedicated team to research and analyse zero-day attacks like the recent one targeting SolarWinds. Known as the Offensive Research & Security Engineering (ORSE) team, this group is focused on providing support for teams like MSTIC with advanced exploit development expertise.
This new ORSE team was formed in response to the increasing number and complexity of zero-day attacks targeting businesses like SolarWinds. Their goal is to provide Microsoft with a deeper understanding of these threats, so that the company can better protect its customers from similar incidents in the future.
The ORSE team combines the talents of experienced security researchers, engineers, data scientists, and prevention experts to help develop new defences against zero-day attacks. By combining cutting-edge research with practical application, this team is helping to make Microsoft’s products safer and more secure for everyone.
The ORSE team has already made major contributions to the field of cyber security, including developing a number of advanced methods for mitigating zero-day exploits. Their work has been pivotal in providing protection against many of the latest attacks, and it will continue to be an important factor in keeping businesses safe online.
Technical Details on SolarWinds Zero-Day Provided by ORSE team
For those interested, the ORSE team deep dive went into extreme detail on the SSH in Serv-U providing the “most likely instance of such code”:
Other posts and articles you may be interested in.